CVE-2018-18322
published 2018-10-15CVE-2018-18322: CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.14%
96.3th percentile
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| control-webpanel | webpanel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd↗
- →Detect GET requests to /admin/index.php containing shell metacharacter semicolons (;) in the service_start, service_restart, service_fullstatus, or service_stop query parameters — indicates command injection attempt. ↗
- →Look for URL-encoded semicolons (%3b) followed by shell commands in GET parameters service_start, service_restart, service_fullstatus, or service_stop targeting /admin/index.php on port 2030. ↗
- →Detect path traversal sequences (/../ or %2f..%2f repeated) in the 'file' parameter of /admin/index.php with module=file_editor — indicates Local File Inclusion attempt targeting /etc/passwd or other sensitive files. ↗
- →Monitor HTTP responses from cwpsrv (CWP server) on port 2030 for unexpected numeric output (e.g., arithmetic results like 268409239) in HTML WARNING blocks — a blind command injection canary pattern. ↗
- →Flag requests to /admin/fileManager2.php with script tags or iframe tags in the fm_current_dir parameter — indicates XSS/Frame Injection attempts. ↗
- →Identify the CWP session cookie pattern 'cwpsrv-<hex>' in HTTP requests as a fingerprint for authenticated exploitation attempts against CentOS Web Panel. ↗
- ·The exploit targets CentOS Web Panel version 0.9.8.480 specifically; later versions may have patched these vulnerabilities. ↗
- ·The admin panel listens on non-standard port 2030; detection rules must account for this port rather than standard HTTP/HTTPS ports. ↗
- ·The exploit was tested on CentOS 7; behavior on other OS versions may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-10-15
Published